Hello,
I don't want my users to become root with simply executing the 'sudo -i' command so they can execute all root commands. Users should only execute with sudo the allowed defined commands. I'm able to prevent them from executing 'sudo su -', but I didn't find any informations about forbidding 'sudo -i'.
Thank you for your help.
On 21.09.23 18:21, Nathanaël Blanchet via FreeIPA-users wrote:
I don't want my users to become root with simply executing the 'sudo -i' command so they can execute all root commands. Users should only execute with sudo the allowed defined commands. I'm able to prevent them from executing 'sudo su -', but I didn't find any informations about forbidding 'sudo -i'.
There is not good solution for.
You can try something like
username ALL=(ALL) ALL, !/usr/bin/bash, !/usr/bin/vi
But you have to specify all dangerous command like vi, strace and so on. So please avoid this. To be safe, you have to define a whitelist of commands. Or to trust your users.
Best regards Ulf
Ulf Volmer via FreeIPA-users wrote:
On 21.09.23 18:21, Nathanaël Blanchet via FreeIPA-users wrote:
I don't want my users to become root with simply executing the 'sudo -i' command so they can execute all root commands. Users should only execute with sudo the allowed defined commands. I'm able to prevent them from executing 'sudo su -', but I didn't find any informations about forbidding 'sudo -i'.
There is not good solution for.
You can try something like
username ALL=(ALL) ALL, !/usr/bin/bash, !/usr/bin/vi
But you have to specify all dangerous command like vi, strace and so on. So please avoid this. To be safe, you have to define a whitelist of commands. Or to trust your users.
HBAC can do this better.
HBAC controls who is allowed to use PAM services. sudo-i is a PAM service. It is allowed now, I'm assuming, because you have the HBAC allow_all rule enabled.
If you disable or delete it then nobody will do anything so be careful. Everything, including ssh, is denied by default without this rule.
So you'll need to create rules to allow the services you want, for the users/groups you want, on the hosts you want. There is also a rule-level glob for all users/groups and all hosts/hostgroups. So it can be as fine-grained as you'd like.
You have to be very careful with sudo because users can be very crafty. If they can call cp, ln or mv with sudo then they can create their own /usr/bin/rcritsh which could allow them to do what they want because it isn't in the prohibited. chmod can also be used in unexpected ways. The sudoers man page has a lot to say about ! under SECURITY NOTES.
rob
On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote:
HBAC can do this better. HBAC controls who is allowed to use PAM services. sudo-i is a PAM service. It is allowed now, I'm assuming, because you have the HBAC allow_all rule enabled.
If you disable or delete it then nobody will do anything so be careful. Everything, including ssh, is denied by default without this rule.
So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent him from escaping and start a shell?
That's great! I should try to look into it.
Best regards
Ulf
Ulf Volmer via FreeIPA-users wrote:
On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote:
HBAC can do this better. HBAC controls who is allowed to use PAM services. sudo-i is a PAM service. It is allowed now, I'm assuming, because you have the HBAC allow_all rule enabled.
If you disable or delete it then nobody will do anything so be careful. Everything, including ssh, is denied by default without this rule.
So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent him from escaping and start a shell?
That's great! I should try to look into it.
Not really. If you allow sudo to be executed then you're back to the same issues. What the original poster ask for was a way to not allow users to run sudo-i. That is possible with HBAC.
rob
On 21.09.23 20:14, Rob Crittenden via FreeIPA-users wrote:
Ulf Volmer via FreeIPA-users wrote:
So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent him from escaping and start a shell?
That's great! I should try to look into it.
Not really. If you allow sudo to be executed then you're back to the same issues. What the original poster ask for was a way to not allow users to run sudo-i. That is possible with HBAC.
In this case maybe the OP ask the wrong question.
I assumed, he don't want to disallow only 'sudo -i', I thought he want to disable all shell access, so 'sudo bash' and so on. But maybe I was wrong.
Best regards
Ulf
On 21/09/2023 18:30, Ulf Volmer via FreeIPA-users wrote:
On 21.09.23 19:17, Rob Crittenden via FreeIPA-users wrote:
HBAC can do this better. HBAC controls who is allowed to use PAM services. sudo-i is a PAM service. It is allowed now, I'm assuming, because you have the HBAC allow_all rule enabled.
If you disable or delete it then nobody will do anything so be careful. Everything, including ssh, is denied by default without this rule.
So with HBAC I'm able to let a user to run 'vim /etc/fstab' and prevent him from escaping and start a shell?
No, HBAC controls whether a user can use the 'sudo' and/or 'sudo-i' PAM services.
If a user can use the 'sudo' PAM service then they are able to launch sudo with a command line of their choice. sudo rules then determine whether sudo will accept or reject that command line.
If the sudo rules let the user run 'vim' then it's game over. Same applies for most other programs unless proven safe!
The sudo-users mailing list https://www.sudo.ws/mailman/listinfo/sudo-users is probably a good place to ask for help with writing sudo rules.
One tool you have is the 'sudoedit' command. This lets you allow a user to edit files without running their editor as root.
However you still have to think very carefully about which files they're able to edit!
For instance, if you let them edit /etc/fstab then they can create a filesystem image containing a setuid executable, and then allow themselves to mount it by adding an fstab entry with the 'user' option...
On 21/09/2023 18.21, Nathanaël Blanchet via FreeIPA-users wrote:
Hello,
I don't want my users to become root with simply executing the 'sudo -i' command so they can execute all root commands. Users should only execute with sudo the allowed defined commands. I'm able to prevent them from executing 'sudo su -', but I didn't find any informations about forbidding 'sudo -i'.
You can limit which commands a user can execute, the hosts, and target user/group with sudo rules and HBAC rules:
- https://freeipa.readthedocs.io/en/latest/workshop/8-sudorule.html - https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/htm...
The restrictions also allow you to block sudo -i and su -i either with a custom HBAC rule (you need to disable the default allowed_all rule) or with additional allow/deny commands for your sudo rule. "sudo -i" is just an alias for "run user's default shell as login shell". You could block all login shells. If you want a more secure rule, then only allow a well-defined list of commands and arguments.
Example:
$ sudo -i Sorry, user testuser is not allowed to execute '/bin/bash' as root on client.ipa.example.
$ sudo -l Matching Defaults entries for testuser on client: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User testuser may run the following commands on client: (ALL : ALL) NOPASSWD: !/usr/bin/zsh, !/usr/bin/sudo, !/usr/bin/su, !/usr/bin/sh, !/usr/bin/ksh, !/usr/bin/bash
$ ipa sudorule-show example-sudo Rule name: example-sudo Enabled: True RunAs User category: all RunAs Group category: all Users: testuser Host Groups: example-hosts Sudo Deny Command Groups: shells_sudo Sudo Option: !authenticate
$ ipa sudocmdgroup-show shells_sudo Sudo Command Group: shells_sudo Member Sudo commands: /usr/bin/bash, /usr/bin/ksh, /usr/bin/sh, /usr/bin/su, /usr/bin/sudo, /usr/bin/zsh
freeipa-users@lists.fedorahosted.org
-
Christian Heimes -
Nathanaël Blanchet -
Rob Crittenden -
Sam Morris -
Ulf Volmer